Realización de los Servicios Estratégicos (S.E.)

Effective cyber-security depends on the generation and exchange of information.268 _{An ideal system would create and distribute vulnerability}

data (the holes intruders might exploit to gain access to computer systems), threat data (the types of malware circulating on the Internet and the types of attacks firms have suffered), and countermeasure data (steps that can be taken to prevent or combat infection by a particular piece of malicious code).269 _{Perhaps the best way to collect this information is through a}

distributed surveillance network akin to the biosurveillance system at the heart of public health law. Companies are unlikely to participate in this sort of arrangement due to fears of liability under antitrust and other laws.270 _A

suite of measures is therefore needed to help foster favorable incentives, including subsidies, threats of liability, and offers of immunity. These steps would not guarantee that firms will collect and share cyber-security data, but they would make such arrangements more viable than they are at present.

Public health law’s system of distributed biosurveillance seems well suited to the challenge of gathering and disseminating cyber-security data. Like health care providers who diagnose and then report their patients’ infectious diseases, firms could be tasked with monitoring their systems for vulnerabilities and intrusions, then reporting their findings and the countermeasures they have implemented to designated recipients.271 _{Such a}

266 _{AM.BAR ASS’N, supra note 18, at 21; Katyal, Criminal Law, supra note 10, at 1080; Nojeim,}

supra note 14, at 119.

267 _{See supra notes 61−66 and accompanying text.}

268 _{But see CTR. FOR STRATEGIC &INT’L STUDIES, supra note 8, at 45 (information sharing should}

not be “a primary goal”).

269 _{See supra notes 153−54 and accompanying text.} 270 _{See supra notes 155−68, 201−08 and accompanying text.} 271 _{Mulligan & Schneider, supra note 19, at 81.}

system would take advantage of important information asymmetries. Individual companies often know more than outsiders about the vulnerabilities in their systems and the types of intrusions they have faced; they have a comparative advantage in compiling this data.272 _{The principal}

alternative—surveillance by a single, central regulator—is unlikely to be as effective. As F.A. Hayek emphasized, “the knowledge of the [economic] circumstances of which we must make use never exists in concentrated or integrated form, but solely as the dispersed bits of incomplete and frequently contradictory knowledge which all the separate individuals possess.”273 _{The same is true of cyber-security data. A central regulator}

lacks the capacity to examine each device that is connected to the Internet to determine its vulnerabilities, and cannot inspect every data packet transiting the Internet to determine whether it contains malicious code. And even if the scope of the project was not prohibitively vast, the privacy costs associated with a central monitor—especially a government monitor— would likely be intolerable.274 _{Instead, the better course would be to rely on}

individual firms to gather the relevant information.275

While firms would be responsible for the lion’s share of monitoring, the government still has an important role to play: providing especially sensitive companies, such as power companies and ISPs, with information about especially sophisticated forms of malware. Here, the comparative advantage is reversed; the government’s highly resourceful intelligence agencies are simply better than the private sector at detecting intrusions by sophisticated adversaries like foreign militaries and developing countermeasures.276 _{The government can provide these firms with the}

signatures of malware used in previous attacks, and firms can use the signature files to detect future intrusions. In 2010 the National Security Agency began assisting Google in detecting intrusions into its systems. The partnership was announced in the wake of reports that sophisticated hackers, most likely affiliated with China’s intelligence service, had broken into Google’s systems and collected data about users, including a number of human rights activists.277 _{The NSA reportedly has entered a similar}

partnership with a number of large banks.278

272 _{See C}

TR. FOR STRATEGIC &INT’L STUDIES, supra note 8, at 53; Bamberger, supra note 210, at 391–92; Katyal, Criminal Law, supra note 10, at 1091. See generally Bamberger, supra note 210, at 399 (emphasizing “the information asymmetries between regulated firms and administrative agencies”).

273 _{F.A. Hayek, The Use of Knowledge in Society, 35 AM.ECON.REV. 519, 519 (1945).} 274 _{Mulligan & Schneider, supra note 19, at 81.}

275 _{See CLARKE &KNAKE, supra note 1, at 162.}

276 _{Coldebella & White, supra note 14; Condron, supra note 19, at 407. But see O’Neill, supra note}

19, at 265, 275; Taipale, supra note 96, at 9.

277 _{Nakashima, Google, supra note 58.}

278 _{Andrea Shalal-Esa & Jim Finkle, National Security Agency Helps Banks Battle Hackers,}

REUTERS (Oct. 26, 2011, 2:51 PM), http://www.reuters.com/article/2011/10/26/us-cybersecurity-banks- idUSTRE79P5E020111026.

At least two possibilities exist for how to structure the system used to disseminate the information compiled by private firms. Some commentators have called for a central repository of cyber-security data—a “cyber-CDC,”279 _{as it were. Under such a system, an individual firm would}

notify the clearinghouse if it discovers a new vulnerability in its systems, or a new type of malicious code, or a particular countermeasure that is effective against a particular kind of threat. The repository would analyze the information, looking for broader trends in vulnerabilities and threats, then issue alerts and recommendations to other firms. This clearinghouse might be a government entity, as in public health law, but it need not be. An alternative architecture would be for firms to exchange cyber-security information with one another directly, on a peer-to-peer basis, rather than first routing it through a central storehouse. One advantage of the peer-to- peer approach is that it may be more resilient. A CDC-type clearinghouse would be an attractive target for cyber-adversaries, and the entire system would fail if it were compromised.

Distributed surveillance may be an even better fit for cyber-security than for public health, for several reasons. First, malicious computer code can often be detected more quickly than biological pathogens,280 _which

means that countermeasures can be developed and put in place rapidly. Biosurveillance can be slow because the incubation period for certain diseases—the amount of time between when a disease is contracted and when its symptoms first manifest—can be days or weeks. By contrast, it is possible to detect known malware in real time, as the code is passing through a company’s system. Of course, malware detection is imperfect.281

Deep packet inspection and other forms of network monitoring typically work by comparing streams of data against signatures of known malicious code.282 _{These systems are only as good as their underlying definitions files.}

If there is no signature for a particular type of malware, chances are it will not be detected. As a result, sophisticated “zero-day” attacks—so called because they occur before the first day on which security personnel become aware of them and begin to develop countermeasures—may well go unnoticed.283 _{Former CIA director Jim Woolsey emphasizes that “[i]f you}

can’t deal with a zero-day attack coming from a thumb drive . . . you have nothing.”284 _{Of course, these are the very sorts of attacks likely to be}

launched by sophisticated adversaries like foreign intelligence services. Public health law’s biosurveillance framework thus is probably better at

279 _{IBM, supra note 19, at 13–14; see also Sharp, supra note 8, at 25.} 280 _{Rattray et al., supra note 8, at 152.}

281 _{CLARKE &KNAKE, supra note 1, at 162; Sklerov, supra note 19, at 74.} 282 _{See supra note 163 and accompanying text.}

283 _{Rosenzweig, supra note 14, at 28 n.23; Zetter, supra note 48.} 284 _M

detecting intrusions of low to modest complexity than those undertaken by foreign governments.

Second, cyber-threat monitoring has the potential to raise fewer privacy concerns than biosurveillance.285 _{Health care providers often give}

authorities sensitive information about individual patients, such as their names, Social Security numbers, and other personally identifiable information, as well as the diseases they have contracted.286 _{A properly}

designed cyber-monitoring system need not compile and disseminate information of the same sensitivity. Collection and sharing could be limited to information about the incidence and prevalence of known malware. The fact that the “ILoveYou” worm has infected a particular system exposes a great deal less personal information, and thus raises weaker privacy concerns, than the fact that a particular patient suffers from HIV or breast cancer.

The challenge, then, is to provide firms with incentives to collect and disseminate cyber-security information.287 _{At present companies have}

strong disincentives to do so, partly due to fears of legal liability,288 _{but also}

because of concerns about compromising trade secrets, losing customer goodwill, and reputational harms.289 _{Public health law facilitates collection}

and sharing through both direct regulation, such as state statutes requiring health care providers to notify authorities about patients who have contracted various infectious diseases, and less coercive alternatives.290 _A

similar arrangement might be adopted for cyberspace. The government could require firms to gather information about the vulnerabilities in their systems, the types of attacks they have suffered, and the countermeasures they have used to combat malware, and then to disseminate the data to designated recipients.291 _{Imposing such an obligation would not eliminate}

companies’ incentives to withhold cyber-security data. It would simply make it more costly for them to do so, where costs include the sanctions for hoarding discounted by the probability of punishment. Firms will be more likely to collect and share cyber-security data, but some will still find it advantageous to hoard.

There is also a less coercive, and probably more effective, alternative. Cyber-security data is a sort of public good, and economic theory predicts

285 _{But see Nojeim, supra note 14, at 126.} 286 _{See GOSTIN, supra note 221, at 297.} 287 _{Nojeim, supra note 14, at 128.}

288 _{See supra notes 155−68, 201–08 and accompanying text.}

289 _{See, e.g., Aviram, supra note 79, at 154; Aviram & Tor, supra note 139, at 240; Bambauer,}

Conundrum, supra note 12, at 611; Katyal, Digital Architecture, supra note 15, at 2278; Nojeim, supra

note 14; Powell, supra note 14, at 501; Rosenzweig, supra note 14, at 9. But see O’Neill, supra note 19, at 281 (arguing that intercompany cooperation against cyber-attacks is not altogether uncommon).

290 _{See supra notes 235–42 and accompanying text.} 291 _{Frye, supra note 153, at 370–71.}

that it will be underproduced.292 _{Firms might be offered subsidies to}

encourage them to compile and exchange the needed information.293 _These

bounties could be direct payments from the government, tax credits, or deductions. They could also take the form of enhanced intellectual property protections for the cyber-security information firms generate. If the subsidies are large enough, firms will have an incentive not just to report the data they have already compiled, but to invest in discovering previously unknown vulnerabilities, threats, and countermeasures.294

Antitrust law can also help recalibrate firms’ incentives.295 _{Antitrust is}

often skeptical of information sharing and other forms of cooperation among competitors.296 _{But exchanges of cyber-security data can enhance}

consumer welfare by preventing attacks from taking place or at least mitigating their effects.297 _{One way to incentivize companies to cooperate is}

to alleviate their apparently widespread fears of antitrust liability through judicial, administrative, or legislative action. Federal courts could expressly discard the per se approach and substitute a rule of reason when reviewing private sector agreements to share cyber-security data or to adopt common security protocols. Instead, arrangements would be judged on a case-by- case basis, and would stand or fall based on the degree to which they actually advance or hinder consumer welfare. This would reduce the risk of false positives—the danger that the coarse-grained per se rule might invalidate a cyber-security initiative that is actually welfare-enhancing. While this approach shows promise, it also carries some significant drawbacks. A judicial response may not sufficiently remove legal uncertainty. Companies will not always be able to predict whether reviewing courts will sustain or invalidate a proposed cyber-security venture, and the risk of liability will dissuade firms from forming them.298

In short, the uncertain prospects of ex post judicial approval may not provide firms with enough assurance ex ante.

A more promising approach would be for administrative agencies to sponsor cyber-security exchanges, as some in Congress have proposed.299

Agencies with special expertise in cyber-security (such as the NSA and the Department of Homeland Security) could partner with the agencies that are

292 _{See supra notes 137–39 and accompanying text. But see Aviram & Tor, supra note 139, at 240–}

47 (arguing that information can be a rivalrous good).

293 _{See Nojeim, supra note 14, at 128.}

294 _{But see Malloy, supra note 86, at 572–73 (predicting that firms will tend to neglect “regulatory}

investments”—i.e., expending scarce resources to obtain benefits offered to those who comply with government regulations).

295 _{Cf. Adler, supra note 155 (discussing antitrust law in the context of marine resources, another}

public good).

296 _{See supra notes 235–42 and accompanying text.} 297 _{See supra notes 153–54 and accompanying text.} 298 _{See supra notes 165–68 and accompanying text.}

responsible for enforcing federal antitrust laws (the Federal Trade Commission and the Justice Department’s antitrust division) to establish fora in which companies could establish common security standards and exchange information. The government’s participation in these fora would offer assurances that they are being used for legitimate purposes and not as vehicles for anticompetitive conduct. From the standpoint of participating firms, this approach is advantageous because it offers them de facto antitrust immunity.300 _{It is unlikely that an agency such as the FTC or DOJ}

that sponsored a cooperative cyber-security arrangement later would go to court to have it invalidated. And while the blessing of these agencies does not formally bind other potential plaintiffs, such as state attorneys general or private parties, their determination that a proposed venture is permissible under federal antitrust laws probably would receive a healthy dose of judicial deference. Government sponsorship has another advantage: it can help solve the coordination and free-rider problems associated with collective action.301 _{A regulator can mitigate these tendencies by coercing}

firms into participating in the forum and complying with its requirements; it also can withhold the forum’s benefits from firms that shirk.

A third alternative would be for Congress to enact a cyber-security exception to the antitrust laws.302 _{The upside of a legislative carve-out is}

that it would eliminate virtually all risk of liability and thus remove one powerful disincentive for companies to cooperate on cyber-security initiatives. Ideally, such a measure would be narrowly tailored to the precise sort of interfirm cooperation that is desired—the exchange of vulnerability, threat, and countermeasure information and the development of common security protocols. In other words, the exemption would be pegged to specific conduct, and would not immunize entire industries (as used to be the case with major league baseball303_{). A broader exception}

would offer few additional cyber-security gains and could open the door to anticompetitive conduct.

We also might consult products liability law for ideas on how to incentivize companies to exchange cyber-security data. Firms do not have strong incentives to search for vulnerabilities in their systems or products, and ISPs are reluctant to monitor network traffic for malicious code.304

Lawmakers might use a combination of carrots and sticks to recalibrate these incentives. Offers of immunity would increase companies’ expected

300 _B

RENNER, supra note 1, at 228.

301 _{See Kobayashi, supra note 136, at 23.} 302 _{Katyal, Community, supra note 135, at 52.}

303 _{See Flood v. Kuhn, 407 U.S. 258 (1972), superseded by statute, 15 U.S.C. § 26b (2006); Fed.}

Baseball Club of Balt., Inc. v. Nat’l League of Prof’l Baseball Clubs, 259 U.S. 200 (1922).

benefits of compiling and sharing cyber-security data; threats of liability would increase their expected costs of failing to do so.305

Consider the carrots first. Firms could be offered immunity from various laws that presently inhibit them from collecting and exchanging certain information about cyber-vulnerabilities and threats. In particular, Congress could expand the service-provider exception to the Federal Wiretap Act’s general ban on intercepting electronic communications.306

And the exception could be broadened to authorize ISPs to monitor network traffic for malicious code that threatens their subscribers’ systems, not just their own. Congress could also authorize ISPs to notify customers whose systems are found to be infected by malware.307 _{It further could}

expressly preempt any state laws to the contrary. This would foreclose any claims that monitoring for malware violates state privacy law or breaches the terms of service between an ISP and its subscribers. In all cases, eligibility for these forms of immunity could be conditioned on information sharing: a company would not be able to take advantage of the safe harbor unless it shared the information it discovered with other firms. The result would be to foster strong incentives to exchange data about threats and vulnerabilities.

As for the sticks, below I propose modifying tort law’s traditional economic loss doctrine in the cyber-security context.308 _{Firms that}

implement approved security standards would enjoy immunity from lawsuits seeking redress for injuries sustained from an intrusion; companies that disregard the protocols would be subject to lawsuits for any resulting damages. Under such a scheme, a company that implemented the standards might have its immunity stripped if it failed to share information about known weaknesses in its systems or products. As for firms that fail to adopt the security standards, the lack of information sharing could be treated as an aggravating factor; extra damages could be imposed on firms that are aware of vulnerabilities or threats but fail to share that information with other companies. This series of tiered penalties would produce marginal deterrence; firms would have good reason not only to implement the approved security standards, but also to exchange the threat and vulnerability information on which those protocols depend.